Lattice-based cryptanalysis Thijs Laarhoven mail@thijs.com - PowerPoint PPT Presentation

v 8 Sieving v 11 3. Repeat with difference vectors until we find a shortest vector v 5 v 12 v 15 v 7 v 14 v 1 v 3 v 2 O v 6 v 10 v 9 v 13 v 4

v 8 Sieving v 11 3. Repeat with difference vectors until we find a shortest vector v 5 v 12 v 15 v 7 v 3 v 14 v 7 v 2 v 5 v 1 v 8 v 3 v 9 v 2 O v 6 v 1 v 6 v 10 v 4 v 9 v 13 v 4

v 8 Sieving v 11 Overview v 5 v 12 v 15 v 7 v 3 v 14 v 7 v 2 v 5 v 1 v 8 v 3 v 9 v 2 O v 6 v 1 v 6 v 10 v 4 v 9 v 13 v 4

v 8 Sieving v 11 Overview v 5 v 12 v 15 v 7 v 3 v 14 v 7 v 2 Heuristic (Nguyen–Vidick, J. Math. Crypt. ’08) Sieving solves SVP in time ( 4 / 3 ) n + o ( n ) and space ( 4 / 3 ) n / 2 + o ( n ) . v 5 v 1 v 8 v 3 v 9 v 2 O v 6 v 1 v 6 v 10 v 4 v 9 v 13 v 4

v 8 Sieving v 11 Overview v 5 v 12 v 15 v 7 v 3 v 14 v 7 v 2 Heuristic (Nguyen–Vidick, J. Math. Crypt. ’08) Sieving solves SVP in time ( 4 / 3 ) n + o ( n ) and space ( 4 / 3 ) n / 2 + o ( n ) . v 5 v 1 v 8 v 3 v 9 v 2 The list size comes from heuristic packing / saturation arguments, O v 6 v 1 the time complexity is quadratic in the list size. v 6 v 10 v 4 v 9 v 13 v 4

Sieving Near neighbor techniques O

v 8 Sieving v 11 Near neighbor techniques v 5 v 12 v 15 v 7 v 14 v 1 v 3 v 2 O v 6 v 10 v 9 v 13 v 4

v 8 Sieving v 11 Near neighbor techniques v 5 v 12 v 15 v 7 v 14 v 1 v 3 v 2 O v 6 v 10 v 9 v 13 v 4

v 8 Sieving v 11 Near neighbor techniques v 5 v 12 v 15 v 7 v 14 v 1 v 3 v 2 O v 6 v 10 v 9 v 13 v 4

v 8 v 8 Sieving v 11 v 11 Near neighbor techniques v 5 v 5 v 12 v 12 v 15 v 15 v 7 v 7 v 14 v 14 v 1 v 1 v 3 v 3 v 2 v 2 O v 6 v 6 v 10 v 10 v 9 v 9 v 13 v 13 v 4 v 4

v 8 v 8 Sieving v 11 v 11 Near neighbor techniques v 5 v 5 v 12 v 12 v 15 v 15 v 7 v 7 v 14 v 14 v 1 v 1 v 3 v 3 v 2 v 2 O v 6 v 6 v 10 v 10 v 9 v 9 v 13 v 13 v 4 v 4

v 8 Sieving v 11 Near neighbor techniques v 5 v 12 v 15 v 7 v 14 v 1 v 3 v 2 O v 6 v 10 v 9 v 13 v 4

v 8 Sieving v 11 Near neighbor techniques v 5 v 12 v 15 v 7 v 3 v 14 v 2 v 4 v 1 v 7 v 3 v 6 v 2 O v 5 v 1 v 6 v 10 v 9 v 13 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Random hypercones v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4

v 9 Sieving v 12 Randomly rotated cross-polytopes v 5 v 13 v 16 v 7 v 15 v 1 v 3 v 8 v 2 O v 6 v 11 v 10 v 14 v 4